Yoast SEO Plugin Authenticated, Stored XSS Vulnerability

The “snippet preview” functionality of the Yoast WordPress SEO plugin was susceptible to cross-site scripting in versions before 2.2 (<= 2.1.1). This vulnerability appears to have been reported 2 years ago by someone named “badconker”, but the plugin author said that it was already patched. Unfortunately, it appears that this is not the case. If you are running this plugin, I recommend updating to the latest version.

The vulnerable part is on line 6 of wordpress-seo/js/wp-seo-metabox.js where the yst_clean function passes the “str” parameter to the jQuery .html() function, then tries to get the text from that object. This means that any HTML will be executed when it is passed through the sanitization function.

It seems the fix introduced in 2.2 was to move the .html() call below the regex replacements: